Tag Archives: irr

ENISA released a study with a methodology identifying critical infrastructure in communication networks. While this is important and valuable as a topic, I dove into this study for a particularly selfish reason … I am SEEKING a methodology that we could leverage for identifying critical connected infrastructure (cloud providers, SAAS, shared services internally for large corporations, etc..) for the larger public/private sector. Here are my highlights – I would value any additional analysis, always:

Challenge to the organization: “..which are exactly those assets that can be identified as Critical Information Infrastructure and how we can make sure they are secure and resilient?”

Key success factors:

Detailed list of critical services

Criticality criteria for internal and external interdependencies

Effective collaboration between providers (internal and external)

Interdependency angles:

Interdependencies within a category of service

Interdependencies between categories of services

Interdependencies among data assets

Establish baseline security guidelines (due care):

Balanced to business risks & needs

Established at procurement cycle

Regularly verified (at least w/in 3 yr cycle)

Tagging/Grouping of critical categories of service

Allows for clean tracking & regular security verifications

Enables troubleshooting

Threat determination and incident response

Methodology next steps:

Partner with business and product teams to identify economic entity / market value

Identify the dependencies listed about and mark criticality based on entity / market value

Develop standards needed by providers

Investigate how monitoring to standards can be managed and achieved (in some cases contracts can support you, others will be a monopoly and you’ll need to augment their processes to protect you)

Refresh and adjust annually to reflect modifications of business values

I hope this breakout is helpful. The ENISA document has a heavy focused on promoting government / operator ownership, but businesses cannot rely or wait for such action and should move accordingly. The above is heavily modified and original thinking based on my experience with structuring similar business programs. A bit about ENISA’s original intent of the study: